[PATCH] Fix idmap cache pollution with S-1-22-
Volker.Lendecke at SerNet.DE
Wed Feb 27 20:05:06 UTC 2019
On Wed, Feb 27, 2019 at 09:57:20PM +0200, Uri Simchoni wrote:
> On 2/27/19 9:01 PM, Volker Lendecke via samba-technical wrote:
> > On Wed, Feb 27, 2019 at 07:27:21PM +0100, Ralph Böhme wrote:
> >> On Wed, Feb 27, 2019 at 07:04:46PM +0100, Volker Lendecke via samba-technical wrote:
> >>> Attached find a patchset that fixes a problem in a customer
> >>> environment: A short-term hickup in winbind communication for a
> >>> uid2sid call made smbd fall back to legacy_uid_to_sid, filling the
> >>> idmap cache with S-1-22-1-uid for a week. The main point is that
> >>> conversion to S-1-22-x should not be cached, as this is a fallback of
> >>> last resort. On that way, this cleans up that code path a bit.
> >> I guess I'd love to see this being assigned a bug and backports to the
> >> stable branches. What do you thing? From your description it seems to be a
> >> real bug anyway.
> > If we only want to do a minimum necessary change fix it would look
> > differently. It would probably just skip priming the cache in the
> > legacy_xx routines.
> > Volker
> Great! RB+ me.
> I've been down that ally before at the end of my near-full-time Samba
> gig , nice to see this fixed. What I proposed back then might be
> considered for backports.
> As I recall, the reason for priming the cache in the first place was to
> reduce the load on the system with idmap backends which query the
> network , so skipping the priming altogether might introduce a
> regression elsewhere.
>  https://lists.samba.org/archive/samba-technical/2017-April/119917.html
>  https://lists.samba.org/archive/samba-technical/2015-January/104693.html
Crap, I introduced it :-(
The proper fix for the regression is to cache the negative mapping
once the LDAP server told us that "0" is not mapped. And this should
be done in pdb_ldap where we *know* the LDAP server did tell us this
is not mapped. The patchset contains a change to properly handle
negative mappings, which would make us ask LDAP once every 2 minutes.
The LDAP server should handle this.
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: 0551-370000-0, mailto:kontakt at sernet.de
Gesch.F.: Dr. Johannes Loxen und Reinhild Jung
AG Göttingen: HR-B 2816 - http://www.sernet.de
More information about the samba-technical